Password authenticator#

Trino supports authentication with a username and password via a custom password authenticator that validates the credentials and creates a principal.


PasswordAuthenticatorFactory is responsible for creating a PasswordAuthenticator instance. It also defines the name of this authenticator which is used by the administrator in a Trino configuration.

PasswordAuthenticator contains a single method, createAuthenticatedPrincipal(), that validates the credential and returns a Principal, which is then authorized by the System access control.

The implementation of PasswordAuthenticatorFactory must be wrapped as a plugin and installed on the Trino cluster.


After a plugin that implements PasswordAuthenticatorFactory has been installed on the coordinator, it is configured using an etc/ file. All of the properties other than are specific to the PasswordAuthenticatorFactory implementation.

The property is used by Trino to find a registered PasswordAuthenticatorFactory based on the name returned by PasswordAuthenticatorFactory.getName(). The remaining properties are passed as a map to PasswordAuthenticatorFactory.create().

Example configuration file:

Additionally, the coordinator must be configured to use password authentication and have HTTPS enabled (or HTTPS forwarding enabled).